Outline

Program Cryptography: Introduction

Program Cryptography: Background

Start with Python

Learn C Next

Why Learn Python First?

**The Best Book to Learn Data Structures & Algorithms****Relevant Data Structures & Algorithms for Cryptography**LeetCode to Build Data Structures & Algorithms

Secure Coding Practices

Side-Channel Attacks

Fault-Injection Attacks

Books to Learn Math for Cryptography

Books to Learn Programming Cryptography

A Simple Request

## Program Cryptography: Introduction

Cryptography is not a field for the faint of heart. You will first have to build the programming background. Next you will have to learn the math. If you are new to the math of the field I would start with the following:

## Program Cryptography: Background

### Start with Python

You should already have programming experience by the time you decide you want to learn how to program cryptosystems. If you are reading this and have no coding experience--I suggest you get started!

I recommend starting with Python. Python is simple to learn and is used in the cryptography field a lot. A great beginner text on Python is No Starch Press's "__Python Crash Course, 3rd Edition__" by Eric Matthes:

Many experienced Python coders recommend the above text for beginners. It has many fun projects for you to work on. In addition to doing projects you should also build your __Data Structures and Algorithms__ skills. This is your skill in managing information using a modern machine.

As you do the exercises in beginner books such as Python Crash Course I suggest you start building your DS&A skills using a website called __CodingBat__.

This is a beginner friendly website with puzzles that test your ability in managing information using standard methods such as arrays Lists, strings, and more. This is what I used when I was learning how to program for the first time in Java and it works equally well with Python!

### Learn C Next

Once you have done most of the exercises in beginner books such as "Python Crash Course" and CodingBat I next suggest learning the C programming language. ** It is essential for cryptographic engineers to understand how the machine manages memory**! The most dangerous security exploits mess with how machines manage them and I will talk about this more in the future section "Secure Programming Practices".

For now just know that the __most____ ____influential____ ____cryptographic____ ____programming____ ____libraries__ continue to be written in C to this day and there is little sign that this is changing in the near future. With C it is easy to make code portable, fast, and memory efficient. Those are common business demands! For example, if you are reading this your computer is using __OpenSSL__--a library that implements a famous protocol for Transport Layer Security on servers. That is the protocol that prevents someone from spying on what you send to any website you are talking to and vice-versa.

When you are learning C for the first time I * strongly* recommend picking up Kenneth A Reek's "

__Pointers on C__".

It is the only book that thoroughly explains pointers. Its code samples heavily use pointers--and much more than necessary. This was done to help the coder master the difficult practice of using pointers in code. I even recommend reading this before you read the next book which is very famous:

The K&R Book:

#### This is the book written by the original development team behind the language. It contains timeless information on the grammar of the language and simple code samples that reveal how C is used to program operating systems. That is what C was designed for.

Since all modern operating systems rely on C source code to function C still is the lingua franca in the programming community. And since operating system code is written in C--many nasty security attacks including those affecting cryptography deal with that.

A third reason to learn C: it has the best documentation on secure coding practices to avoid many--though not all--of the attacks that can affect the safety of code bases. C may suffer from infamous security exploits and people say that you should not use it for that reason--but people have written documentation on how to write your programs in C to avoid those security exploits--moreso than any other language I have seen including Python. For this reason alone C is easily a must learn for the cryptographic engineer.

I will give more information on how you can write C programs to avoid those exploits in a future section.

Why Learn Python First?

If the bulk of modern cryptographic code is written in C why bother studying Python first? There are couple of reasons for that:

It is a programming language easy to get started with. Asking newbies to program in C would demand too much at once.

Python seems destined to be the lingua franca of quantum computing. Few commercial quantum computers are available for us to try out at this time. One of them, IBM Qiskit, offers a Python SDK.

### The Best Book to Learn Data Structures & Algorithms

I recommend reading Steven S. Skiena's "__The Algorithm Design Manual, Third Edition__". This book gives excellent conceptual explanations of the concept followed by sample C source code. I recommend you * manually* type the sample source code in the chapters you read, compile the programs, and test the programs with sample input yourself. Oh, and please do the relevant exercises. You cannot learn much without doing so. :)

### Relevant Data Structures & Algorithms for Cryptography

Since you are interested in programming cryptography which Data Structures and Algorithms should you focus on? From Skiena's book I recommend the following sections:

List of Sections from The Algorithm Design Manual

Read Chapter 1 and Do Some Exercises

Chapter 1 introduces the mindset and approach you should take when applying DS&A. A must read.

Read Chapter 2 and Do Exercises

This chapter reviews Algorithm Analysis: a technique to compare how efficient your program is compared to others.

Read Chapter 3 on Data Structures and Do Exercises

All the data structures mentioned (Arrays, Linked Lists, Trees, and Hashing) you will later see throughout your career in cryptography.

Read Chapter 5 on Divide and Conquer

This chapter teaches you techniques to help your program

Cryptography demands your machine's system resources. So this chapter is critical.__run faster.__Pay special attention to the sections on Fast Multiplication and Fast Polynomial Multiplication. You will need Fast Multiplication to program

__public-key cryptography__. Fast Multiplication is a technique to multiply huge numbers in a short period of time. You will need a special case of__Polynomial Multiplication__known as__Finite Field Arithmetic__to program__stream ciphers__and even to program a famous encryption method called__Advanced Encryption Standard (AES)__.

Read Chapter 6 on Hashing and Randomized Algorithms

Hashing is a major concept in cryptography. It is used to protect our passwords from being guessed and to check if documents were received correctly across the Internet. So its a must-read.

Read Chapter 12, Section 10 (12.10) on Quantum Computing

The NIST recently approved of

__Four Quantum-Safe Cryptosystems__. Some companies are preparing to be ready against attacks that can be made by a quantum computer by 2030 CE. It is best if you get started with Quantum Cryptography now!Skiena only glosses over standard quantum algorithms such as Shor's Algorithm and Grover's Algorithm. Shor's Algorithm threatens the security of classical public-key cryptosystems (e.g. RSA). Grover's Algorithm threatens the safety of symmetric-key based classical cryptosystems (e.g. AES).

LeetCode to Build Data Structures & Algorithms

Simply doing even __all__ of the book exercises in Skiena's great book is not good enough! You have to practice doing the DS&A problems the industry expects you to perform!

And __HackerRank__ and __LeetCode__ is an excellent website to practice your skills. There are several problems in LeetCode that I strongly recommend you solve before even worrying about programming cryptography.

__LeetCode__ is the de-facto website software engineers visit to practice their skills in writing *useful* programs. Without data structures and algorithms it would be difficult if not impossible to write programs that can benefit people. They are the means we extract useful information from the data we have. Applicants to software engineering roles test their coding skills on LeetCode to prepare for job interviews. If you can write coding solutions that

On LeetCode you will see several sample programming puzzles that you are challenged to solve by writing code. LeetCode is a large site and there are over a thousand problems you can choose from.

These websites present you a challenge to write a program that solves a challenge. The website will run your program against test cases to check that your program works properly.

This is an efficient way to tell if you mastered the concept Skiena discusses in his book.

Secure Coding Practices

Once you nailed the Data Structures & Algorithms from Skiena's book and programming challenges you are ready to start learning about Secure Coding Practices. These are techniques to write your program in such a way as to avoid common security exploits.

Some of the most frequent security exploits that affect cryptosystems include Buffer Overflows, Integer Overflows, Dynamic Memory Exploits, and more. A lot of these are caused by *malpractice*--bad programming habits. And attackers do target cryptography code with these of course.

As a cryptographic engineer it is our responsibility to ensure our codebases are resistant to such attacks. I would say Robert C Seacord's "Secure Coding in C/C++ is a __must read.__

CERT, the organization that Seacord leads, also published an up-to-date __online guide__ as well.

Recently, O'Reilly a published a more up-to-date book on the same topic: __Secure Programming Cookbook__.

Side-Channel Attacks

It is not good enough to be good at standard secure coding practices. There are attacks designed to work against programs of cryptosystems themselves. One important classes of such attacks are __side channel attacks__.

Side channel attacks try to steal the secret key by observing patterns in the machine's behavior while executing a program for a cryptosystem. Side channel attacks have been used to steal the secret key from RSA, AES, and Elliptic Curves in important applications of cryptography such as __Transport Layer Security__.

Not all side-channel attacks are equally dangerous. The most common threat are time-based and cache-based side channel attacks. The easiest way to avoid them is to use a cipher that is designed to be resistant to them in the first place!

Programs of cryptosystems that are designed to be resistant to these common side-channel attacks will not rely on the brand of hardware of the machine and are __easier to program__ than the cryptosystems that rely on hardware in the second place. They are also more portable since they are not tied to a specific brand of hardware.

A symmetric cipher that is designed to be resistant to time-based and cache-based side channel attacks is __XChaCha20__.

The __NIST approved__ of several post-quantum safe public-key cryptosystems that are not just resistant to the most common side channel attacks but also quantum-computing attacks.

The most important reason for that is that it will take long periods of time to get organizations to adapt to the new cryptosystems. People have to spend time understanding the math, learning how to program quantum machines for cryptanalysis, learning how to program the cryptosystems themselves in classical computers, and integrating production-quality cryptosystems into their own production environments! That's __a lot__ to take in.

I recommended the new NIST-post quantum safe cryptosystems since quantum computers were destined to break classical public-key cryptosystems anyway.

Fault Injection Attacks

__Fault Injection Attacks__ take place when the attacker forces the computer hardware to malfunction--causing secrets to be leaked. RISCURE, the organization whose leaders published the book aforementioned, also wrote a nice guide on how to write programs __resistant to them__.

## Books to Learn Math for Cryptography

Cryptography without math is like Physics without math--you are not going to be able to make anything useful without it!

Now that you have the programming experience necessary to program the math--its time to learn the math!

An excellent first text on the math for cryptography is Christoph Parr's and Pelzl's "Understanding Cryptography":

This was the first text I read and whose problems I did back when I was learning it for the first time. One of the authors, Christoph Paar, also made a great series of lectures now on __Youtube__.

The authors recommended __The Handbook of Applied Cryptography__ as an excellent supplement. This book is an excellent review of the math required in classical cryptography and occasionally gives pseudocode on how to program it on a machine:

A second book the authors recommended as a supplement is "__The Encyclopedia of Cryptography__" edited by Henk van Tillborg:

A great book on the math required for classical public-key cryptosystems is "__An Introduction to Mathematical Cryptography__" by Jeffrey Hoffstein et al. Hoffstein helped co-invent the FALCON quantum-safe public-key cryptosystem--so he is an expert in the field:

If your budget can afford the next two books I would instantly purchase a comprehensive book that reviews the math, the design, the diagrams, and the pseudocode for classical cryptography. This book's name is long: "__Cryptography: Algorithms, Protocols, and Standards__" by Zoubir M. Mammeri. It comes complete with exercises and solutions for every chapter. It has an outstanding summary of classical cryptography but it is *so* expensive:

A final book I would __strongly__ recommend is the "Handbook of Elliptic and Hyperelliptic Curve Cryptography". This is an outstanding reference on the math behind elliptic curve cryptography. The book's explanations are so clear you can easily translate the math into working software:

Books to Learn Programming Cryptography

If you are interested in learning how to program cryptography I am sorry to say there are a few books in the market that aim to help with that. Here are the few that are worth checking out:

Joshua Davies's book "Implementing SSL/TLS":

This book gives sample code of cryptosystems used in Transport Layer Security. This is the program that encrypts all website traffic on websites--including the one you are reading from right now. Without TLS, e-commerce on the Internet would never be safe as we know it.

Some of the cryptosystems mentioned in the above book include RC4, AES, RSA, Diffie-Hellman, and more. The code in the book * should never be used in production.* The code was only designed to technically correct according to specs--not be secure enough for production.

Bruce Schneier's book "Applied Cryptography":

__Bruce Schneier__ is a respected cryptographer. He helped invent Twofish, Blowfish, Fortuna, and others. The C source code in the book is great to get started with writing cryptography. Unfortunately the book is now very out of date. Unfortunately, it was the last published of its kind!

"Modern Computer Arithmetic" by Richard Brent & Paul Zimmermann:

Fellow Redditors have recommended this book for all the arithmetic necessary in cryptography--such as when coding multi-precision arithmetic. This book makes it easier to translate the theory behind such math concepts into working programs:

"Hacker's Delight: Second Edition by Henry S. Warren, Jr.":

All of the books besides Schneier's introduce the math background to help you understand cryptosystems. The above books gives formulas to solve arithmetic problems using bitwise manipulation techniques. Not only will this help your cryptographic programs run faster--you will find the formulas in the book are crucial to developing code resistant to side channel attacks including timing attacks, power analysis, and fault injection attacks. For this reason alone you should have a physical copy next to you at all times. It is a distilled, easier to read version of many of the program discussed in Donald Ervin Knuth's "The Art of Computer Programming".

"The Art of Computer Programming" by Donald Ervin Knuth:

Everyone reading this that has a programming background probably heard of this book. It's that book we all heard of and either bought, stuffed in our bookshelves, and allowed to gain dust. It is as massive as it is an indispensable review of computer science theory and practice. For cryptographic engineers it has been seen used as a reference on important math concepts. For cryptographic engineers it has been seen used as a reference on important math concepts. For example, the creators of __dudect__, a C program to verify if a C program is constant-time, have cited the book when coding the tool.

When you purchase the books you will at first feel guilty for blasting $300 USD for getting them. Later, you will realize it contains insights you would be hard-pressed to find elsewhere.

For some reason, security engineers do not publish books on programming cryptography for production environments. And yet--it is undeniable we count on said technology *every day*!

A Simple Request

Are you interested in programming cryptography? Are you struggling with translating concepts in theory to working code. Are you struggling with figuring out how to make your code correct, secure, and easy for others to refactor? I got so tired of trying to find books on the matter that I decided to start writing my own.

If you are serious about programming cryptography to earn a living as I am please consider checking out a preview of my book at:

At the time of this writing I admit I have only written the Preface + Table of Contents. This is to help me know if readers like you will be interested in such content. On the webpage of the book preview you are more than welcome to leave any comments and suggestions.

Thanks for reading this blog!

Image Credits

Blog Frontal Image Credits attributed to:

## Comments